Some competitors and independent experts questioned the scope of his claim. It was unclear, they said, how much of Holden’s data came from previously known breaches or included old, invalid passwords. Just as unclear was how much data the Russian hackers had stolen themselves and how much they had collected from others.

“What’s a breach?” Holden asked in a phone interview Tuesday. “I don’t want to get into the semantics of ‘What’s a breach?’ ”

Answers to some questions may be unknowable – the share of data from new breaches, for example. “Everything was not fresh,” Holden said. “Some of the information was fresh. It was hard to tell in what numbers.”

Similarly, he said some of the data remains encrypted, but the “vast majority” isn’t. As for how much of the data the gang stole itself versus obtained elsewhere, Holden said, “It’s hard to tell.”

Holden’s remarks illustrate the challenges of studying the dark side of the Internet. Security researchers can face hard choices about whether to go public with limited knowledge to generate publicity and raise awareness, even if that prompts questions they can’t answer.

Complicating matters, security companies often have a financial incentive to disclose threats, which can prompt individuals or companies to spend on cyberdefenses. In a blog post announcing the gang, which he dubbed “CyberVor,” Holden offered to help website operators check if they were affected – for $120 a month. His website now says the service is $120 a year.

Security researcher Ashkan Soltani last week said the timing of Holden’s disclosure and his plan to charge potential victims “seems predatory at best.”

Holden declined multiple interview requests last week after the New York Times first reported his findings. He broke his silence Tuesday, telling Forbes that the controversy surrounding his claims has hurt his business.

In an interview with The Wall Street Journal, Holden said it would be impossible for him to notify every business potentially affected by the hacks for free. He noted that antivirus software companies charge for similar services.

Holden said he has a tool that would let individuals check if they were affected by the breaches for free. He looked up the personal email address of a Journal reporter, and found a password the reporter has used in the past.

Holden wouldn’t discuss how he obtained the data other than to stress he didn’t steal anything from the cyberthieves. He said hackers have been “showing it to us.”

One of his challenges, he said, is to comb through cybercrime forums to separate real criminals from hacker kids making unsubstantiated claims.

“There is a lot of misinformation,” Holden said. “It is quite a difficult task for us to discern a truth from a lie.”